Moving Fast and Securing Things

For development teams, process can often be antithetical to speed. Ease of deployment and security tend to have an inverse relationship, with some resentment for the security team occasionally mixed in. You may have seen the following tweet: https://twitter.com/petecheslock/status/595617204273618944?lang=en We believe things don’t have to be like that. In this post, we will discuss how…

Max Feldman
13 min readintermediate
--
View Original

Overview

The article discusses Slack's implementation of its Security Development Lifecycle (SDL) and the goSDL tool designed to enhance security without hindering deployment speed. It emphasizes the importance of developer empowerment, transparency, and continuous integration in maintaining security standards while scaling rapidly.

What You'll Learn

1

How to implement a Security Development Lifecycle (SDL) in a fast-paced environment

2

Why developer empowerment is crucial for effective security practices

3

How to use the goSDL tool to assess security risks during feature development

Prerequisites & Requirements

  • Basic understanding of security concepts in software development
  • Familiarity with Slack and its development environment(optional)

Key Questions Answered

What is the Security Development Lifecycle (SDL) at Slack?
The Security Development Lifecycle (SDL) at Slack is a process designed to integrate security practices into the software development lifecycle. It aims to ensure that security is considered at every stage of development, allowing teams to deploy features rapidly while maintaining a strong security posture.
How does the goSDL tool assist developers in ensuring security?
The goSDL tool guides developers through a series of questions and checklists that help assess the security of new features. By initiating the SDL process with a simple slash command in Slack, developers can identify risks and ensure that security considerations are integrated into their workflow.
What are the benefits of using checklists in the SDL process?
Checklists in the SDL process are inspired by aviation safety protocols and aim to reduce human error in security practices. They ensure that developers adhere to security measures consistently, helping to prevent vulnerabilities and improve overall code quality.
What lessons has Slack learned from implementing the SDL?
Slack has learned the importance of transparency and developer engagement in security processes. Feedback from developers has been invaluable in refining the SDL and ensuring that it meets the needs of the team while fostering a culture of security awareness.

Key Statistics & Figures

Daily deployments
approximately 100 times per day
This statistic highlights Slack's rapid deployment culture, which necessitates an efficient SDL process.
Employee growth
from 100 to over 800 employees
This growth reflects Slack's rapid expansion and the corresponding need for scalable security practices.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Key Actionable Insights

1
Integrate security practices into your development process early to avoid bottlenecks later.
By embedding security considerations from the start, teams can streamline their workflows and reduce the need for extensive revisions later in the development cycle.
2
Utilize tools like goSDL to facilitate risk assessments and enhance developer autonomy.
Empowering developers with tools that simplify security assessments can lead to faster feature deployment while maintaining a strong security posture.
3
Foster a culture of transparency and communication between security and development teams.
Regular interactions and open forums can help build trust and ensure that security practices are understood and embraced by all team members.

Common Pitfalls

1
Failing to integrate security into the development process can lead to significant vulnerabilities.
When security is an afterthought, teams may overlook critical risks, resulting in potential breaches and costly fixes.
2
Creating an adversarial relationship between security and development teams can hinder collaboration.
If security is perceived as a blocker, developers may resist engaging with security practices, leading to gaps in security coverage.

Related Concepts

Security Development Lifecycle (sdl)
Continuous Integration And Continuous Deployment (ci/Cd)
Developer Empowerment In Security Practices